Summary: | <dev-qt/qtgui-5.14.2-r1: Buffer Overread (CVE-2020-17507) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | qt |
Priority: | Normal | Keywords: | CC-ARCHES, PullRequest |
Version: | unspecified | Flags: | nattka:
sanity-check+
|
Hardware: | All | ||
OS: | Linux | ||
URL: | https://codereview.qt-project.org/c/qt/qtbase/+/308496 | ||
See Also: | https://github.com/gentoo/gentoo/pull/17183 | ||
Whiteboard: | A4 [glsa+ cve] | ||
Package list: |
dev-qt/qtgui-5.14.2-r1
|
Runtime testing required: | --- |
Description
John Helmert III
2020-08-13 01:54:39 UTC
ping Chiitoo, I just had a look, and it seems like Debian backported it to 5.14.x too: https://sources.debian.org/patches/qtbase-opensource-src/5.14.2+dfsg-6/CVE-2020-17507.diff/ Much smaller, interestingly. (In reply to Sam James from comment #2) > Chiitoo, I just had a look, and it seems like Debian backported it to 5.14.x > too: > https://sources.debian.org/patches/qtbase-opensource-src/5.14.2+dfsg-6/CVE- > 2020-17507.diff/ > > Much smaller, interestingly. I guess we could do that too. They don't seem to bother with patching the test parts, and I'm not entirely sure if we use those parts either in any situation... The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=621b799854a30f790193cf9f6177cb297048412a commit 621b799854a30f790193cf9f6177cb297048412a Author: Jimi Huotari <chiitoo@gentoo.org> AuthorDate: 2020-08-20 12:03:19 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2020-08-22 18:52:22 +0000 dev-qt/qtgui: fix CVE-2020-17507 Upstream commit: https://code.qt.io/cgit/qt/qtbase.git/commit/?id=1616c719 Reported-by: John Helmert III (ajak) <jchelmert3@posteo.net> Bug: https://bugs.gentoo.org/736924 Package-Manager: Portage-3.0.4, Repoman-3.0.1 Signed-off-by: Jimi Huotari <chiitoo@gentoo.org> Closes: https://github.com/gentoo/gentoo/pull/17183 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> .../qtgui/files/qtgui-5.14.2-CVE-2020-17507.patch | 39 +++++ dev-qt/qtgui/qtgui-5.14.2-r1.ebuild | 185 +++++++++++++++++++++ dev-qt/qtgui/qtgui-5.15.0-r1.ebuild | 185 +++++++++++++++++++++ 3 files changed, 409 insertions(+) Thanks. arm64 done arm done amd64 done x86 done ppc64 done ppc done all arches done Please cleanup. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b63131a033258484a470290415c50cde1e6c63d2 commit b63131a033258484a470290415c50cde1e6c63d2 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2020-08-31 19:58:21 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2020-08-31 19:58:44 +0000 dev-qt/qtgui: Cleanup vulnerable 5.14.2 (r0) Bug: https://bugs.gentoo.org/736924 Package-Manager: Portage-3.0.5, Repoman-3.0.1 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> dev-qt/qtgui/qtgui-5.14.2.ebuild | 184 --------------------------------------- 1 file changed, 184 deletions(-) New GLSA request filed. This issue was resolved and addressed in GLSA 202009-04 at https://security.gentoo.org/glsa/202009-04 by GLSA coordinator Thomas Deutschmann (whissi). |